GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU

27 November 2018

International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies. Our previous blog on this topic confirmed that, following Brexit, the UK will be a ‘third country’ for the purposes of international transfers of data under the GDPR, which could have serious implications on the practicalities of legally transferring personal data from the EU to the UK.  This blog updates the position and examines the possible outcomes of the on-going Brexit negotiations on the transfer of personal data from the EU to the UK. 

Deal

On 14 November 2018, the UK government published a draft withdrawal agreement (governing the terms of the UK’s departure from the EU), Article 71(1) of which anticipates a transition period for the continued application of EU data protection law (i.e. the GDPR) for the processing of the personal data of individuals resident outside the UK, provided that the personal data: (a) was processed under EU law in the UK before the end of the transition period; or (b) is processed in the UK after the end of the transition period on the basis of the withdrawal agreement.  However, the continued application of EU data protection law merely affirms the current position that personal data may only be transferred to third countries (such as the UK after Brexit) if the European Commission (the “Commission”) has provided that country with an adequacy decision or, in the absence of an adequacy decision, either certain safeguards are adopted in relation to the transfer or a specific derogation can be relied upon (see our previous blog for more details).    

Fortunately, according to Article 71(2), the transitional arrangements referred to above will fall away if the Commission makes an adequacy decision essentially affirming that the UK’s processing of personal data provides a satisfactory level of protection to EU-based individuals. This would mean there is no need for reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK, which will result in minimal disruption to business continuity. However, it’s worth noting that adoption of the draft withdrawal agreement by the UK Parliament and EU leaders does not guarantee the provision of an adequacy decision for the UK, although it would seem to be in all parties’ interests for the Commission to implement an adequacy decision in the event of the UK and the EU striking a Brexit deal.    

Even if the UK receives an adequacy decision, the draft withdrawal agreement reminds us that it is not permanent and could be repealed by the EU after one of its periodic reviews of the UK’s data protection laws post-Brexit. If an adequacy decision ceased to apply for any reason then Article 71(3) requires the UK to “ensure a level of protection of personal data essentially equivalent to that under EU law…” Onerous as this may seem, it is not a commitment for the UK to maintain and apply the GDPR (which is currently incorporated into domestic law, irrespective of Brexit, by the Data Protection Act 2018), rather we will have some discretion as to how we implement data protection law albeit curtailed to some extent by the withdrawal agreement. However, irrespective of how we tinker with our domestic data protection law, the absence of an adequacy decision for the UK means reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK which, as you will note below, is as good as having no deal in place!

No deal

On 25 November 2018, a summit of EU leaders unanimously approved the terms of the draft withdrawal agreement. However, if the UK Parliament fails to approve the draft withdrawal agreement, resulting in a no deal Brexit, the Commission has expressly stated that the adoption of an adequacy decision is not part of its contingency planning.  EU member states do not have the power to unilaterally grant adequacy decisions to third countries as approval from representatives of all EU member states is required. This effectively rules out the possibility of the UK concluding bilateral agreements with member states on the international transfer of personal data where EU law applies.

A no deal Brexit therefore suggests an extended period of reliance on the safeguards and derogations referred to above in order to legally transfer personal data from the EU to the UK. As you will note from our previous blog, reliance on these measures to govern all transfers of personal data from the EU to the UK is likely to be cumbersome in practice, partly given the rigid nature of the Standard Contractual Clauses (SCCs) (in so far as they must be adopted entirely and without amendment to their legal effect) and the magnitude of the task presented by establishing legally sound Binding Corporate Rules from a time and resource perspective. Also noteworthy is that the validity of SCCs is under consideration by the European Court of Justice as questions have arisen over whether they satisfy the standards of care required by the more recent GDPR.

What you can do now

It’s currently unclear as to whether the UK Parliament will approve the draft withdrawal agreement (and early signs are certainly not positive) and, even if it is approved, we will need to wait and see if the UK will receive an adequacy decision during the transitional period of Brexit. The only certainty we have at this point is that a no deal Brexit means reliance on the safeguards and derogations in order to legally transfer personal data from the EU to the UK. If your business is reliant upon such data transfers from the EU, it would be advisable to consider putting in place contingency plans for a no deal Brexit by preparing for the use of appropriate safeguards and/or derogations. 

Should you have any Brexit, GDPR or data protection queries, please contact our Data Protection team.

Brexit Bulletin Board

Brexit Bulletin Board

The EU Settlement Scheme - a guide for EU citizens living in the UK

Click here to play video

Brexit - What EU citizens living in the UK need to know

Read More

Brexit - what British citizens living in the EU need to know

READ MORE

Kingsley Napley's immigration team sponsors Financial and Professional Services Post-Brexit Immigration Briefing

READ MORE

No-deal Brexit: transitional arrangements for EEA nationals arriving after 29 March 2019

READ MORE

EU Settlement Scheme - what you need to know

In this podcast, Gillian Brownlee and Felicity Woof discuss the new EU Settlement Scheme which is due to go live on 30 March 2019.

Listen to the podcast

Post-Brexit data sharing with EU regulators is key for FCA policing market abuse

Read News Item

No deal Brexit: what this would mean for extradition?

Rebecca Niblock blogs

What Brexit means for EU employees living in the UK and their families

View on YouTube

'Playing by their own rules?' - Brexit blog series

Our Public Law team blogs about secondary legislation and Brexit.

View the blog series

Mutual trust remains until we leave: notification of intention to leave the EU not an exceptional circumstance

Read the blog

Holiday home/Retirement planning: will Brexit wreck it?

A question you may ponder as you relax on that sunlounger in the weeks ahead is whether you need to review your arrangements for any EU based property in light of Brexit.

Read the blog

#Brexit: Further clarification on the rights of EU citizens living in the UK: https://bit.ly/2LY0QtA

View Tweet

Brexit and the European Arrest Warrant (EAW): at least now we know what we don’t know

Read the blog

Brexit & Horse Racing

The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact horse racing and all who are part of it.

Read Blog Post

Brexit: "It was not this that I promised to do"

Read the blog

Blackberries, Baking and Brexit

Read Blog Post

Could Brexit send Geraint Thomas into a spin?

Hanging over this year’s Tour de France, at least for this British cycling fan, was the realisation that this is probably the last Tour pre-Brexit, and so there is an additional level of uncertainty about what the 2019 post-Brexit edition will look like.

Read the blog

Brexit and practising rights for lawyers

Two Solicitor friends of mine recently asked me to sign their applications to register with the Law Society of Ireland. I asked them if they were thinking of moving.

Read Blog Post

A change of course? Pondering the future of golf in Brexit Britain

As avid golfers focus their attention on the US Masters in Augusta Georgia next month, many at the 19th Hole will be pondering the impact of Brexit on their beloved game.

Read the blog

UK-EU security cooperation post #Brexit - ringing the alarm bell! | Part II of a two-part guest blog by EU Criminal Law expert Dr Debbie Sayers | #CriminalLaw http://ow.ly/bO0b30jwHfa

View Tweet

Brexit & Motor Racing

The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact motor racing and all who are part of it.

Read Blog Post

Post-Brexit language testing for EEA qualified healthcare professionals

On March 7 2018, the House of Commons Library published a Briefing Paper outlining the language testing requirements imposed upon healthcare professionals who qualified outside of the UK.

Read Blog Post

Kim provides the facts! #stayorgo

View Tweet

Beyond #Brexit: new anti-money laundering regime agreed

No sooner are we one year into the new regime under the Money Laundering Regulations 2017 than a further EU instrument has been adopted.

Read Blog Post

No-deal Brexit and the impact on patient safety

READ MORE

Divorced, beheaded, scrutinised? SIs and Henry VIII powers under review

Read the blog

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Close Load more

Let us take it from here.

+44 (0)20 7814 1200

enquiries@kingsleynapley.co.uk

Skip to content Home About Us Insights Services Contact Accessibility